Fedora Weekly News Issue 260

Welcome to Fedora Weekly News Issue 260[1] for the week ending January 26, 2011. What follows are some highlights from this issue.

In announcements, details on the official release of Fedora 14 64-bit for IBM System z, and upcoming details on gtk2 support ending for Evolution related packages in Rawhide, the development version of Fedora. We have three articles in Fedora In the News, and Quality Assurance previews the first Fedora 15 upcoming Test Day, updates on the AutoQA process, and more. Our issue this week wraps up with security-related packages released this past week for Fedora 13 and 14. Enjoy!

An audio version of some issues of FWN - FAWN - are available! You can listen to existing issues[2] on the Internet Archive. If anyone is interested in helping spread the load of FAWN production, please contact us!

If you are interested in contributing to Fedora Weekly News, please see our 'join' page[3]. We welcome reader feedback: news@lists.fedoraproject.org

Security incident on Fedora infrastructure on 23 Jan 2011

"Summary: Fedora infrastructure intrusion but no impact on product integrity

On January 22, 2011 a Fedora contributor received an email from the Fedora
Accounts System indicating that his account details had been changed. He
contacted the Fedora Infrastructure Team indicating that he had received
the email, but had not made changes to his FAS account. The Infrastructure
Team immediately began investigating, and confirmed that the account had
indeed been compromised.

At this time, the Infrastructure Team has evidence that indicates the account
credentials were compromised externally, and that the Fedora Infrastructure was
not subject to any code vulnerability or exploit.

The account in question was not a member of any sysadmin or Release Engineering
groups. The following is a complete list of privileges on the account:

SSH to fedorapeople.org (user permissions are very limited on this machine).

Push access to packages in the Fedora SCM.

Ability to perform builds and make updates to Fedora packages.

The Infrastructure Team took the following actions after being
notified of the issue:
1. Lock down access to the compromised account
2. Take filesystem snapshots of all systems the account had access to (pkgs.fedoraproject.org, fedorapeople.org)
3. Audit SSH, FAS, Git, and Koji logs from the time of compromise to the present
Here, we found that the attacker did:

Change the account's SSH key in FAS

Login to fedorapeople.org

The attacker did not:

Push any changes to the Fedora SCM or access pkgs.fedoraproject.org in any way

Generate a koji cert or perform any builds

Push any package updates

Based on the results of our investigation so far, we do not believe that any
Fedora packages or other Fedora contributor accounts were affected by this
compromise.

While the user in question had the ability to commit to Fedora SCM, the
Infrastructure Team does not believe that the compromised account was used to
do this, or cause any builds or updates in the Fedora build system. The
Infrastructure Team believes that Fedora users are in no way threatened by this
security breach and we have found no evidence that the compromise extended
beyond this single account.

As always, Fedora packagers are recommended to regularly review commits to
their packages and report any suspicious activity that they notice.

Fedora contributors are strongly encouraged to choose a strong FAS password.
Contributors should *NOT* use their FAS password on any other websites or
user accounts. If you receive an email from FAS notifying you of changes to
your account that you did not make, please contact the Fedora Infrastructure
team immediately via admin at fedoraproject.org.

We are still performing a more in-depth investigation and security audit and we
will post again if there are any material changes to our understanding"

Fedora 14 for IBM System z 64bit official release

"It's been a long time since we last had an official release of IBM
System z on Fedora...

A really long time...

A really, really long time...

In fact and to be precise, it's been 134,265,600 seconds or 2,237,760
minutes or 37,296 hours or 1554 days since Fedora 6 was released on
October 24th 2006 which was the last release where IBM System z was
included.

But today, today changes all this.

As today, the Fedora IBM System z (s390x) Secondary Arch team proudly
presents the Fedora 14 for IBM System z 64bit official release!

but beware that currently the images found there are still outdated,
we're working on fixing that over the next weeks.

Additional information about know issues, the current progress and state
for future release, where and how the team can be reached and just
anything else IBM System z on Fedora related can be found here:

rawhide update (2.91.6) of evolution-related packages is gtk3 only

"Evolution team drops support for gtk2 in 2.91.6 release of
evolution-related packages (gtkhtml3, evolution-data-server and
evolution) which might make trouble for dependent packages which are
still gtk2. I expect there will follow gtk3 updates for them in the near
future too, if not done already (this is mainly for packages using
libedataserverui and gtkhtml3, the rest should be fine).

There are done soname bumps and api version bumps in above mentioned
packages as well. The release will be done on Monday, when I plan to
update rawhide too (+/- few days, if something will go wrong)."

Fedora Events

Fedora events are the exclusive and source of marketing, learning and meeting all the fellow community people around you. So, please mark your agenda with the following events to consider attending or volunteering near you!

Open source status report reveals good health and profits (NetworkWorld)

Rahul Sundaram forwarded[1] a posting reporting on some statistics on the vitality of the Fedora Project:

"The Fedora Linux project sees over 2 million unique visitors to its
site in a given month; over 150,000 downloads; and over 25,000 active
contributors of code, documentation, translations and bug submissions
per month."

"Long story short is that a Fedora contributor had his/her credentials
stolen and then an attacker began to use those credentials to attempt to
tamper with the Fedora infrastructure. Due to the limited privileges of
the exploited account (and some good luck) it appears as though there
has been no risk to Fedora's build or infrastructure."

Test Days

This week sees the first Fedora 15 Test Day on 2011-01-27[1], on network device naming changes upcoming in Fedora 15. On compatible systems, Fedora 15 will use biosdevname[2] to name the network interfaces; this provides a fully deterministic naming scheme on such systems, as opposed to the current system, where you cannot be sure that a given interface's name in Fedora will reflect its physical location or label. The Test Day will ensure this system is working correctly and also that it does not override existing preferred names on upgrades, so if you want to make sure this change has no unexpected consequences for you, make sure to come along to the Test Day! The testing involved will be easy and possible from a live image, and the Test Day page has instructions to find out if your hardware is involved in this change.

Next Thursday, 2011-02-03, will see the first of three planned Test Days on the GNOME 3 desktop[3], which is landing in Fedora 15. Mark it on your calendar!

Refining Bugzilla messages on updated packages

Test case management system proposal and requirements

During the QA weekly meeting of 2011-01-24[1], Rui He reported that she had completed the review of use cases[2] and features[3] in comparing the current Wiki-based system for managing test cases and the potential replacement, Nitrate[4]. The next step is to identify must-have and nice-to-have features to see if any are missing from Nitrate, and write scripts to convert Wiki test cases into Nitrate test cases.

Multi-spin DVD review

On a request from David Nalley, some group members reviewed the proposed multi-spin DVD[1]. Jóhann Guðmundsson suggested testing boot and installation of each live environment on the DVD. Christoph Wickert, the main proposer of the spin, agreed that this would be a good idea, but did not expect to hit any problems.

Smolt graphics card generation extraction

Adam Williamson suggested a project for anyone looking for one - extracting information on graphics card generations from Smolt[1]. He explained that this would be useful for assessing the overall level of support for GNOME Shell in Fedora 15.

AutoQA

The new koji watcher implementation submitted for review last week by Josef Skladanka, and the dependency checking test submitted by Will Woods, were both reviewed this week[1][2][3][4]. The AutoQA team also identified an issue in Bodhi's use of -pending tags, which Luke Macken rapidly fixed.